| 1 | /* $NetBSD: local.c,v 1.2 2017/02/14 01:16:45 christos Exp $ */ |
| 2 | |
| 3 | /*++ |
| 4 | /* NAME |
| 5 | /* local 8 |
| 6 | /* SUMMARY |
| 7 | /* Postfix local mail delivery |
| 8 | /* SYNOPSIS |
| 9 | /* \fBlocal\fR [generic Postfix daemon options] |
| 10 | /* DESCRIPTION |
| 11 | /* The \fBlocal\fR(8) daemon processes delivery requests from the |
| 12 | /* Postfix queue manager to deliver mail to local recipients. |
| 13 | /* Each delivery request specifies a queue file, a sender address, |
| 14 | /* a domain or host to deliver to, and one or more recipients. |
| 15 | /* This program expects to be run from the \fBmaster\fR(8) process |
| 16 | /* manager. |
| 17 | /* |
| 18 | /* The \fBlocal\fR(8) daemon updates queue files and marks recipients |
| 19 | /* as finished, or it informs the queue manager that delivery should |
| 20 | /* be tried again at a later time. Delivery status reports are sent |
| 21 | /* to the \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemon as |
| 22 | /* appropriate. |
| 23 | /* CASE FOLDING |
| 24 | /* .ad |
| 25 | /* .fi |
| 26 | /* All delivery decisions are made using the bare recipient |
| 27 | /* name (i.e. the address localpart), folded to lower case. |
| 28 | /* See also under ADDRESS EXTENSION below for a few exceptions. |
| 29 | /* SYSTEM-WIDE AND USER-LEVEL ALIASING |
| 30 | /* .ad |
| 31 | /* .fi |
| 32 | /* The system administrator can set up one or more system-wide |
| 33 | /* \fBsendmail\fR-style alias databases. |
| 34 | /* Users can have \fBsendmail\fR-style ~/.\fBforward\fR files. |
| 35 | /* Mail for \fIname\fR is delivered to the alias \fIname\fR, to |
| 36 | /* destinations in ~\fIname\fR/.\fBforward\fR, to the mailbox owned |
| 37 | /* by the user \fIname\fR, or it is sent back as undeliverable. |
| 38 | /* |
| 39 | /* The system administrator can specify a comma/space separated list |
| 40 | /* of ~\fR/.\fBforward\fR like files through the \fBforward_path\fR |
| 41 | /* configuration parameter. Upon delivery, the local delivery agent |
| 42 | /* tries each pathname in the list until a file is found. |
| 43 | /* |
| 44 | /* Delivery via ~/.\fBforward\fR files is done with the privileges |
| 45 | /* of the recipient. |
| 46 | /* Thus, ~/.\fBforward\fR like files must be readable by the |
| 47 | /* recipient, and their parent directory needs to have "execute" |
| 48 | /* permission for the recipient. |
| 49 | /* |
| 50 | /* The \fBforward_path\fR parameter is subject to interpolation of |
| 51 | /* \fB$user\fR (recipient username), \fB$home\fR (recipient home |
| 52 | /* directory), \fB$shell\fR (recipient shell), \fB$recipient\fR |
| 53 | /* (complete recipient address), \fB$extension\fR (recipient address |
| 54 | /* extension), \fB$domain\fR (recipient domain), \fB$local\fR |
| 55 | /* (entire recipient address localpart) and |
| 56 | /* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR and |
| 57 | /* \fI${name:value}\fR expand conditionally to \fIvalue\fR when |
| 58 | /* \fI$name\fR is (is not) defined. |
| 59 | /* Characters that may have special meaning to the shell or file system |
| 60 | /* are replaced by underscores. The list of acceptable characters |
| 61 | /* is specified with the \fBforward_expansion_filter\fR configuration |
| 62 | /* parameter. |
| 63 | /* |
| 64 | /* An alias or ~/.\fBforward\fR file may list any combination of external |
| 65 | /* commands, destination file names, \fB:include:\fR directives, or |
| 66 | /* mail addresses. |
| 67 | /* See \fBaliases\fR(5) for a precise description. Each line in a |
| 68 | /* user's .\fBforward\fR file has the same syntax as the right-hand part |
| 69 | /* of an alias. |
| 70 | /* |
| 71 | /* When an address is found in its own alias expansion, delivery is |
| 72 | /* made to the user instead. When a user is listed in the user's own |
| 73 | /* ~/.\fBforward\fR file, delivery is made to the user's mailbox instead. |
| 74 | /* An empty ~/.\fBforward\fR file means do not forward mail. |
| 75 | /* |
| 76 | /* In order to prevent the mail system from using up unreasonable |
| 77 | /* amounts of memory, input records read from \fB:include:\fR or from |
| 78 | /* ~/.\fBforward\fR files are broken up into chunks of length |
| 79 | /* \fBline_length_limit\fR. |
| 80 | /* |
| 81 | /* While expanding aliases, ~/.\fBforward\fR files, and so on, the |
| 82 | /* program attempts to avoid duplicate deliveries. The |
| 83 | /* \fBduplicate_filter_limit\fR configuration parameter limits the |
| 84 | /* number of remembered recipients. |
| 85 | /* MAIL FORWARDING |
| 86 | /* .ad |
| 87 | /* .fi |
| 88 | /* For the sake of reliability, forwarded mail is re-submitted as |
| 89 | /* a new message, so that each recipient has a separate on-file |
| 90 | /* delivery status record. |
| 91 | /* |
| 92 | /* In order to stop mail forwarding loops early, the software adds an |
| 93 | /* optional |
| 94 | /* \fBDelivered-To:\fR header with the final envelope recipient address. If |
| 95 | /* mail arrives for a recipient that is already listed in a |
| 96 | /* \fBDelivered-To:\fR header, the message is bounced. |
| 97 | /* MAILBOX DELIVERY |
| 98 | /* .ad |
| 99 | /* .fi |
| 100 | /* The default per-user mailbox is a file in the UNIX mail spool |
| 101 | /* directory (\fB/var/mail/\fIuser\fR or \fB/var/spool/mail/\fIuser\fR); |
| 102 | /* the location can be specified with the \fBmail_spool_directory\fR |
| 103 | /* configuration parameter. Specify a name ending in \fB/\fR for |
| 104 | /* \fBqmail\fR-compatible \fBmaildir\fR delivery. |
| 105 | /* |
| 106 | /* Alternatively, the per-user mailbox can be a file in the user's home |
| 107 | /* directory with a name specified via the \fBhome_mailbox\fR |
| 108 | /* configuration parameter. Specify a relative path name. Specify a name |
| 109 | /* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery. |
| 110 | /* |
| 111 | /* Mailbox delivery can be delegated to an external command specified |
| 112 | /* with the \fBmailbox_command_maps\fR and \fBmailbox_command\fR |
| 113 | /* configuration parameters. The command |
| 114 | /* executes with the privileges of the recipient user (exceptions: |
| 115 | /* secondary groups are not enabled; in case of delivery as root, |
| 116 | /* the command executes with the privileges of \fBdefault_privs\fR). |
| 117 | /* |
| 118 | /* Mailbox delivery can be delegated to alternative message transports |
| 119 | /* specified in the \fBmaster.cf\fR file. |
| 120 | /* The \fBmailbox_transport_maps\fR and \fBmailbox_transport\fR |
| 121 | /* configuration parameters specify an optional |
| 122 | /* message transport that is to be used for all local recipients, |
| 123 | /* regardless of whether they are found in the UNIX passwd database. |
| 124 | /* The \fBfallback_transport_maps\fR and |
| 125 | /* \fBfallback_transport\fR parameters specify an optional |
| 126 | /* message transport |
| 127 | /* for recipients that are not found in the aliases(5) or UNIX |
| 128 | /* passwd database. |
| 129 | /* |
| 130 | /* In the case of UNIX-style mailbox delivery, |
| 131 | /* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" |
| 132 | /* envelope header to each message, prepends an |
| 133 | /* \fBX-Original-To:\fR header with the recipient address as given to |
| 134 | /* Postfix, prepends an |
| 135 | /* optional \fBDelivered-To:\fR header |
| 136 | /* with the final envelope recipient address, prepends a \fBReturn-Path:\fR |
| 137 | /* header with the envelope sender address, prepends a \fB>\fR character |
| 138 | /* to lines beginning with "\fBFrom \fR", and appends an empty line. |
| 139 | /* The mailbox is locked for exclusive access while delivery is in |
| 140 | /* progress. In case of problems, an attempt is made to truncate the |
| 141 | /* mailbox to its original length. |
| 142 | /* |
| 143 | /* In the case of \fBmaildir\fR delivery, the local daemon prepends |
| 144 | /* an optional |
| 145 | /* \fBDelivered-To:\fR header with the final envelope recipient address, |
| 146 | /* prepends an |
| 147 | /* \fBX-Original-To:\fR header with the recipient address as given to |
| 148 | /* Postfix, |
| 149 | /* and prepends a \fBReturn-Path:\fR header with the envelope sender |
| 150 | /* address. |
| 151 | /* EXTERNAL COMMAND DELIVERY |
| 152 | /* .ad |
| 153 | /* .fi |
| 154 | /* The \fBallow_mail_to_commands\fR configuration parameter restricts |
| 155 | /* delivery to external commands. The default setting (\fBalias, |
| 156 | /* forward\fR) forbids command destinations in \fB:include:\fR files. |
| 157 | /* |
| 158 | /* Optionally, the process working directory is changed to the path |
| 159 | /* specified with \fBcommand_execution_directory\fR (Postfix 2.2 and |
| 160 | /* later). Failure to change directory causes mail to be deferred. |
| 161 | /* |
| 162 | /* The \fBcommand_execution_directory\fR parameter value is subject |
| 163 | /* to interpolation of \fB$user\fR (recipient username), |
| 164 | /* \fB$home\fR (recipient home directory), \fB$shell\fR |
| 165 | /* (recipient shell), \fB$recipient\fR (complete recipient |
| 166 | /* address), \fB$extension\fR (recipient address extension), |
| 167 | /* \fB$domain\fR (recipient domain), \fB$local\fR (entire |
| 168 | /* recipient address localpart) and \fB$recipient_delimiter.\fR |
| 169 | /* The forms \fI${name?value}\fR and \fI${name:value}\fR expand |
| 170 | /* conditionally to \fIvalue\fR when \fI$name\fR is (is not) |
| 171 | /* defined. Characters that may have special meaning to the |
| 172 | /* shell or file system are replaced by underscores. The list |
| 173 | /* of acceptable characters is specified with the |
| 174 | /* \fBexecution_directory_expansion_filter\fR configuration |
| 175 | /* parameter. |
| 176 | /* |
| 177 | /* The command is executed directly where possible. Assistance by the |
| 178 | /* shell (\fB/bin/sh\fR on UNIX systems) is used only when the command |
| 179 | /* contains shell magic characters, or when the command invokes a shell |
| 180 | /* built-in command. |
| 181 | /* |
| 182 | /* A limited amount of command output (standard output and standard |
| 183 | /* error) is captured for inclusion with non-delivery status reports. |
| 184 | /* A command is forcibly terminated if it does not complete within |
| 185 | /* \fBcommand_time_limit\fR seconds. Command exit status codes are |
| 186 | /* expected to follow the conventions defined in <\fBsysexits.h\fR>. |
| 187 | /* Exit status 0 means normal successful completion. |
| 188 | /* |
| 189 | /* Postfix version 2.3 and later support RFC 3463-style enhanced |
| 190 | /* status codes. If a command terminates with a non-zero exit |
| 191 | /* status, and the command output begins with an enhanced |
| 192 | /* status code, this status code takes precedence over the |
| 193 | /* non-zero exit status. |
| 194 | /* |
| 195 | /* A limited amount of message context is exported via environment |
| 196 | /* variables. Characters that may have special meaning to the shell |
| 197 | /* are replaced by underscores. The list of acceptable characters |
| 198 | /* is specified with the \fBcommand_expansion_filter\fR configuration |
| 199 | /* parameter. |
| 200 | /* .IP \fBSHELL\fR |
| 201 | /* The recipient user's login shell. |
| 202 | /* .IP \fBHOME\fR |
| 203 | /* The recipient user's home directory. |
| 204 | /* .IP \fBUSER\fR |
| 205 | /* The bare recipient name. |
| 206 | /* .IP \fBEXTENSION\fR |
| 207 | /* The optional recipient address extension. |
| 208 | /* .IP \fBDOMAIN\fR |
| 209 | /* The recipient address domain part. |
| 210 | /* .IP \fBLOGNAME\fR |
| 211 | /* The bare recipient name. |
| 212 | /* .IP \fBLOCAL\fR |
| 213 | /* The entire recipient address localpart (text to the left of the |
| 214 | /* rightmost @ character). |
| 215 | /* .IP \fBORIGINAL_RECIPIENT\fR |
| 216 | /* The entire recipient address, before any address rewriting |
| 217 | /* or aliasing (Postfix 2.5 and later). |
| 218 | /* .IP \fBRECIPIENT\fR |
| 219 | /* The entire recipient address. |
| 220 | /* .IP \fBSENDER\fR |
| 221 | /* The entire sender address. |
| 222 | /* .PP |
| 223 | /* Additional remote client information is made available via |
| 224 | /* the following environment variables: |
| 225 | /* .IP \fBCLIENT_ADDRESS\fR |
| 226 | /* Remote client network address. Available as of Postfix 2.2. |
| 227 | /* .IP \fBCLIENT_HELO\fR |
| 228 | /* Remote client EHLO command parameter. Available as of Postfix 2.2. |
| 229 | /* .IP \fBCLIENT_HOSTNAME\fR |
| 230 | /* Remote client hostname. Available as of Postfix 2.2. |
| 231 | /* .IP \fBCLIENT_PROTOCOL\fR |
| 232 | /* Remote client protocol. Available as of Postfix 2.2. |
| 233 | /* .IP \fBSASL_METHOD\fR |
| 234 | /* SASL authentication method specified in the |
| 235 | /* remote client AUTH command. Available as of Postfix 2.2. |
| 236 | /* .IP \fBSASL_SENDER\fR |
| 237 | /* SASL sender address specified in the remote client MAIL |
| 238 | /* FROM command. Available as of Postfix 2.2. |
| 239 | /* .IP \fBSASL_USERNAME\fR |
| 240 | /* SASL username specified in the remote client AUTH command. |
| 241 | /* Available as of Postfix 2.2. |
| 242 | /* .PP |
| 243 | /* The \fBPATH\fR environment variable is always reset to a |
| 244 | /* system-dependent default path, and environment variables |
| 245 | /* whose names are blessed by the \fBexport_environment\fR |
| 246 | /* configuration parameter are exported unchanged. |
| 247 | /* |
| 248 | /* The current working directory is the mail queue directory. |
| 249 | /* |
| 250 | /* The \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" |
| 251 | /* envelope header to each message, prepends an |
| 252 | /* \fBX-Original-To:\fR header with the recipient address as given to |
| 253 | /* Postfix, prepends an |
| 254 | |
|---|